<note tip> Note: As of February 1, 2011, BigFix became part of IBM, and the software has been rebranded as IBM Endpoint Manager. </note>

Internet-based attacks upon individual desktop and laptop computers are a world-wide problem. New vulnerabilities are continually discovered. This emphasizes the importance of keeping systems up-to-date by installing security patches as soon as they become available. Failure to keep all systems patched can place everyone on the network at risk.

The School uses a patch management system called BigFix Enterprise Suite (BES). It is administered by the School's computer support group. This patch management system allows us to install critical security patches on computers as soon as they're made available by the software supplier and tested here.

After installing the small Bigfix software package on your computer, it will communicate with the School's Bigfix server to determine its patch status. The server will automatically apply appropriate updates once they have been released. Release of patches occurs after testing and follows a rigorous, but rapid, procedure.

The Bigfix client software is required by the School's network security policy for Windows and Macintosh computers connected to the School network, which in turn builds upon the University's policy regarding “Securing Private Data, Computers, and Other Electronic Devices”.

Certain basic information about the computer is collected - such as IP address and operating system, inventory data such as hardware configuration, and the presence or absence of critical security updates.

Updates applied by Bigfix is limited to the following actions

• critical OS updates from Microsoft or Apple
• critical updates to the following applications: Microsoft Office, Adobe Acrobat, Flash, Apple Quicktime, Sun (Oracle) Java, Firefox.
• reporting on presence or absence of antivirus software

If an update requires a system restart, a warning of several days will generally be given, although we reserve the right to shorten that time in exceptional circumstances.

• Download and install instructions for the BigFix client software: Windows | Macintosh
• We also strongly encourage you to run either Windows Update or Mac OS Update at least once, eitehr before or after installing Bigfix, to get your computer as up-to-date as possible. This will reduce the number of updates Bigfix has to install, and may avoid some additional computer restarts.

Our goal is to keep computers securely patched with the minimum possible inconvenience to their owners. If you experience any unexpected behaviour or have any other questions regarding the patch management system, please send in a Help request.

• Keeping a computer secure and compliant is a lot of work! Consider taking advantage of our fully managed Windows AD or Linux cluster installs, rather than setting everything up yourself. Our systems are deployed centrally, store your data securely in our server room, with backups, and include tons of already-installed software.

After installing bigfix, and if your computer is also registered in our network database for wired access, you will be subscribed to the “bigfix-announce” mailing list. This is a low volume list for us to let you know when updates are being deployed. You can adjust your subscription preference in MyPhys.

• My computer runs some equipment in our lab (controlling or taking data), and cannot be rebooted automatically. What should I do?
  • The best option is to talk to us about moving your machine to a private network with access only to required services (and not the internet). In most cases we can figure out how to make everything you need work. We may even be able to provide an additional computer for your internet-connected activities.
  • Although we discourage it, we can also put your computer into a special group with a longer reboot warning. But you have to accept that bigfix may install patches which can interfere with your equipment, and that we cannot take responsibility for that.
• What if our group runs a server which should not be rebooted automatically?
  • Some servers may be exempt if they are actively managed by a professional systems administrator. Contact us with details.
• I went to install Bigfix and found that my computer's OS is too old to meet requirements
  • If you are able to update your OS to a supported version, that is the simplest solution
  • Otherwise, contact us so we can discuss the options.